Today brings us yet another massive data breach, this time of Anthem, the second-largest provider of health insurance in the United States. Various media reports are indicating that the personal information of 70 million or more customers may have been compromised. Anthem has set up a web site focused on the information, stating:
These attackers gained unauthorized access to Anthem’s IT system and have obtained personal information from our current and former members such as their names, birthdays, medical IDs/social security numbers, street addresses, email addresses and employment information, including income data.
It is not clear exactly how the attackers gained access to Anthem’s systems, but The Verge is reporting that the breach was discovered by a system administrator:
Anthem only discovered its breach last week when a systems administrator caught a database query being run under his identification without his knowledge.
They happened to catch the breach – but what if they had missed it?
With a massive data breach of this size, and now with the involvement of the FBI and other law enforcement agencies, we will hopefully learn in the future more about what the vulnerabilities were in Anthem’s systems that allowed this attack to occur.
But this breach today highlights the critical importance each of us and our organizations play in our networked world. The Internet is a “network of networks” and the security of our overall online world is shared by all of us.
We all have to do our part to secure our networks and systems that are connected to the rest of the world. As we stated in our recent “Approach to Cyber Security Policy”:
Security is not achieved by a single treaty or piece of legislation; it is not solved by a single technical fix, nor can it come about because one company or sector of the economy decides security is important. Creating security and trust in the Internet requires different players (within their different responsibilities and roles) to take action, closest to where the issues are occurring.
In this case, it seems to be vulnerabilities within the enterprise systems at Anthem that allowed the attackers to penetrate their systems and steal this data. While it is tempting to call this an “Internet security” problem we should look at this as a security issue that arises because of being connected to the Internet. That said, these thefts will cause people to have a little less confidence in the Internet at large.
If you look at the recommendations of our approach to cybersecurity you can consider the following points:
- Enterprises that carry privacy sensitive data have an obligation (if not legal, then moral) to protect that data with state-of-the-art methods. As a company one should always ask oneself: should this data and these systems be connected in any way to the Internet?
- Collaboration in solving the crime: the FBI and other law enforcement agencies are cooperating. Solving these sort of crimes is hard, the traces left are minimal and the criminals often are in different jurisdictions. Collaboration, within the bounds of law, is critical to solving crimes like this.
- Collaboration also means transparency. Transparency not only about the fact that a data breach happened but also sharing information about the root-causes, so that others can learn from the experience.
As my colleague Robin Wilton writes, this is ultimately an issue of trust.
Trust in the Internet … trust in the online systems… and trust in each other.
Each of us needs to look at the security of our own infrastructure and ensure that we are doing our part to protect the online global commons.
What are YOU doing to secure your infrastructure?
For resources and information about securing your infrastructure, please visit:
- Our policy work on security
- The Internet Technology Matters section of our site
- The Deploy360 Programme – IPv6, DNSSEC, TLS and securing BGP